{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48189", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "dateReserved": "2026-05-21T07:53:13.254Z", "datePublished": "2026-06-01T03:33:03.373Z", "dateUpdated": "2026-06-01T13:14:49.791Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["Customer Backend"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"status": "affected", "version": "7.0.x"}, {"status": "affected", "version": "8.0.x"}, {"status": "affected", "version": "2023.x"}, {"status": "affected", "version": "2024.x"}, {"status": "affected", "version": "2025.x"}, {"lessThanOrEqual": "2026.3.x", "status": "affected", "version": "2026.x", "versionType": "patch"}]}], "datePublic": "2026-06-01T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and&nbsp;<code>CustomerGroupSupport</code>&nbsp;has to be used to be affected.<p></p><p>This issue affects OTRS: </p><ul><li>7.0.X</li><li>8.0.X</li><li>2023.X</li><li>2024.X</li><li>2025.X</li><li>2026.X before 2026.4.X</li></ul><br><p></p>"}], "value": "An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and\u00a0CustomerGroupSupport\u00a0has to be used to be affected.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X"}], "impacts": [{"capecId": "CAPEC-54", "descriptions": [{"lang": "en", "value": "CAPEC-54 Query System for Information"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2026-06-01T03:33:03.373Z"}, "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2026-03/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches<br>"}], "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches"}], "source": {"advisory": "OSA-2026-03", "defect": ["Ticket#2026052110000161", "Issue#3780"], "discovery": "USER"}, "title": "Bypass DedicatedAgentToCustomerGroups Setting", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-01T13:14:38.008285Z", "id": "CVE-2026-48189", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-01T13:14:49.791Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-48189", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-01T13:14:38.008285Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-01T13:14:45.902Z"}}], "cna": {"title": "Bypass DedicatedAgentToCustomerGroups Setting", "source": {"defect": ["Ticket#2026052110000161", "Issue#3780"], "advisory": "OSA-2026-03", "discovery": "USER"}, "impacts": [{"capecId": "CAPEC-54", "descriptions": [{"lang": "en", "value": "CAPEC-54 Query System for Information"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OTRS AG", "modules": ["Customer Backend"], "product": "OTRS", "versions": [{"status": "affected", "version": "7.0.x"}, {"status": "affected", "version": "8.0.x"}, {"status": "affected", "version": "2023.x"}, {"status": "affected", "version": "2024.x"}, {"status": "affected", "version": "2025.x"}, {"status": "affected", "version": "2026.x", "versionType": "patch", "lessThanOrEqual": "2026.3.x"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches", "supportingMedia": [{"type": "text/html", "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches<br>", "base64": false}]}], "datePublic": "2026-06-01T07:00:00.000Z", "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2026-03/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and\u00a0CustomerGroupSupport\u00a0has to be used to be affected.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X", "supportingMedia": [{"type": "text/html", "value": "An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and&nbsp;<code>CustomerGroupSupport</code>&nbsp;has to be used to be affected.<p></p><p>This issue affects OTRS: </p><ul><li>7.0.X</li><li>8.0.X</li><li>2023.X</li><li>2024.X</li><li>2025.X</li><li>2026.X before 2026.4.X</li></ul><br><p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2026-06-01T03:33:03.373Z"}}}, "cveMetadata": {"cveId": "CVE-2026-48189", "state": "PUBLISHED", "dateUpdated": "2026-06-01T13:14:49.791Z", "dateReserved": "2026-05-21T07:53:13.254Z", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "datePublished": "2026-06-01T03:33:03.373Z", "assignerShortName": "OTRS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*", "matchCriteriaId": "650E99BF-9E05-496F-BD59-5542A95FD221", "versionEndIncluding": "8.0.37", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*", "matchCriteriaId": "476B2F02-24EA-43BB-BEA8-282D7D71B386", "versionEndExcluding": "2026.4.1", "versionStartIncluding": "2023.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and\u00a0CustomerGroupSupport\u00a0has to be used to be affected.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X"}], "id": "CVE-2026-48189", "lastModified": "2026-06-15T12:45:43.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security@otrs.com", "type": "Secondary"}]}, "published": "2026-06-01T04:16:22.723", "references": [{"source": "security@otrs.com", "tags": ["Vendor Advisory"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2026-03/"}], "sourceIdentifier": "security@otrs.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@otrs.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.1.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.1.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2023.0.0,2024.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2024.0.0,2025.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.0.0,2026.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.0.0,2026.4.0)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "OTRS", "source": "cna", "vendor": "OTRS AG"}, "product": "otrs", "vendor": "otrs"}], "created": "2026-06-01T05:30:20.995405+00:00", "updated": "2026-06-02T20:30:16.922414+00:00", "vendors": ["otrs", "otrs$PRODUCT$otrs"]}